031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88

Analysis

max time kernel
152s
max time network
154s
platform
windows7_x64
resource
win7v20210408
submitted
17-05-2021 08:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Size

125KB
MD5

b93a26c815c554c3406d9035897584d2
SHA1

b2f53636d151150c2f213cdadf504ca3bc83abb7
SHA256

031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88
SHA512

0f19fc6ec3c4fd48e87ac76373f42ee1a161e2b0cabbca8f30ac51b8b7075133c967c1b518346084cf416b5ec68aeb18b0326b2eb9545757c254c7632507b35a

Score

10^/10

adware persistence stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe

Modifies system executable filetype association 2 TTPs 21 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe

Drops file in Drivers directory 44 IoCs

Processes:

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\spools.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 42 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

description	ioc	process
File opened (read-only)	\??\X:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\E:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\L:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\G:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\F:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\N:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\E:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\O:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\R:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\O:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\G:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\P:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\I:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\U:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\V:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\P:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\S:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\Q:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\O:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\M:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\V:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\R:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\S:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\X:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\P:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\T:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\U:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\F:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\I:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\H:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\T:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\G:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\I:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\T:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\R:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\U:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\L:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\S:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\J:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\Q:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\H:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\X:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\L:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\W:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\T:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\M:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\G:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\R:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\S:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\L:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\G:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\I:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\L:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\L:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\W:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\M:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\V:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\M:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\O:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\J:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\G:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\U:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\G:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
File opened (read-only)	\??\H:	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe

Modifies registry class 21 IoCs

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

pid	process
1080	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
1300	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
1552	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
832	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
920	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
1692	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
1796	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
1544	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
1668	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
1676	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
1388	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
1592	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
1740	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
2004	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
484	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
1876	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
924	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
1600	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
1956	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
316	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
1008	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C:\Users\Admin\AppData\Local\Temp\031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
"C:\Users\Admin\AppData\Local\Temp\031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
2⤵
PID:1288

C:\Users\Admin\AppData\Local\Temp\031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
C:\Users\Admin\AppData\Local\Temp\031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
2⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1300

C:\Users\Admin\AppData\Local\Temp\031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
C:\Users\Admin\AppData\Local\Temp\031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
3⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1552

C:\Users\Admin\AppData\Local\Temp\031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
C:\Users\Admin\AppData\Local\Temp\031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
4⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:832

C:\Users\Admin\AppData\Local\Temp\031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
C:\Users\Admin\AppData\Local\Temp\031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
5⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:920

C:\Users\Admin\AppData\Local\Temp\031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
C:\Users\Admin\AppData\Local\Temp\031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
6⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1692

C:\Users\Admin\AppData\Local\Temp\031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
C:\Users\Admin\AppData\Local\Temp\031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
7⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1796

C:\Users\Admin\AppData\Local\Temp\031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
C:\Users\Admin\AppData\Local\Temp\031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
8⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1544

C:\Users\Admin\AppData\Local\Temp\031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
C:\Users\Admin\AppData\Local\Temp\031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
9⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1668

C:\Users\Admin\AppData\Local\Temp\031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
C:\Users\Admin\AppData\Local\Temp\031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
10⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1676

C:\Users\Admin\AppData\Local\Temp\031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
C:\Users\Admin\AppData\Local\Temp\031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
11⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1388

C:\Users\Admin\AppData\Local\Temp\031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
C:\Users\Admin\AppData\Local\Temp\031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
12⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1592

C:\Users\Admin\AppData\Local\Temp\031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
C:\Users\Admin\AppData\Local\Temp\031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
13⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1740

C:\Users\Admin\AppData\Local\Temp\031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
C:\Users\Admin\AppData\Local\Temp\031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
14⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2004

C:\Users\Admin\AppData\Local\Temp\031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
C:\Users\Admin\AppData\Local\Temp\031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
15⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:484

C:\Users\Admin\AppData\Local\Temp\031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
C:\Users\Admin\AppData\Local\Temp\031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
16⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1876

C:\Users\Admin\AppData\Local\Temp\031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
C:\Users\Admin\AppData\Local\Temp\031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
17⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:924

C:\Users\Admin\AppData\Local\Temp\031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
C:\Users\Admin\AppData\Local\Temp\031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
18⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1600

C:\Users\Admin\AppData\Local\Temp\031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
C:\Users\Admin\AppData\Local\Temp\031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
19⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1956

C:\Users\Admin\AppData\Local\Temp\031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
C:\Users\Admin\AppData\Local\Temp\031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
20⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:316

C:\Users\Admin\AppData\Local\Temp\031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
C:\Users\Admin\AppData\Local\Temp\031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
21⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1008

C:\Users\Admin\AppData\Local\Temp\031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
C:\Users\Admin\AppData\Local\Temp\031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
22⤵
- Drops file in Drivers directory
PID:1512

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
2aed17c0c6b99f009a56f0dc665e47af

SHA1
ed4d6390809f1a059587b1db9c55cad7020aad68

SHA256
30cac89e7259067b3334b3a4941bc22ac91fc44c1d0c5af4409b2cc2c351c3a2

SHA512
ceb9b67fd649a618eb999a0cb6a634a938524670905ea804ca5aeb72deadf8a29a293fe009994fb63f23898cc260b0eb12425923949acf17ad776a439035df7f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
090756504210cc57cc3b888e11bf32a1

SHA1
d69b3cbfa49a08de919f26f3092607210500b700

SHA256
23089253f1ad41bba5a742ea34c1f53a9f63fe865a833f679f9850461740cb9e

SHA512
ad4e7b44fb9b61d66171830131d529fe36d3fdc6e85cb343cba78584c07c1eac5d6358dd3e8940a894089c61850c84885a8f06d17827eb91199e732ead93d90d

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
810dec8b8aecf77e0a90af7a19ea2bc2

SHA1
03090bfee7f96d05e83b371d54b98f65cccb4b0a

SHA256
80c381407efc1e79d0f6d3482f7daa62f37d60199d70c8f914178781b9457e83

SHA512
a015fcb7f50f23b9bb70e6ff34c03edfe9674e7f10a02c6a59bcdb449e6b2ff7ba513ffda9513fe2fb4468a890e500f180244a7c5458359ea58d38d4b8245b2a

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
090756504210cc57cc3b888e11bf32a1

SHA1
d69b3cbfa49a08de919f26f3092607210500b700

SHA256
23089253f1ad41bba5a742ea34c1f53a9f63fe865a833f679f9850461740cb9e

SHA512
ad4e7b44fb9b61d66171830131d529fe36d3fdc6e85cb343cba78584c07c1eac5d6358dd3e8940a894089c61850c84885a8f06d17827eb91199e732ead93d90d

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
009b6ac282e5a4589f0fcc9b296f3ac6

SHA1
c1ab2acf50e7679b52a57942b98ec8d5957caf92

SHA256
b1155c271712c5b6e06a128d74e288f4f55e5628b54f056ad88b0bf10078b703

SHA512
5b6136255b33962e63c94f12e3b5dc0f2a8504eff7794a892c973f6f1e843e8f4f9c230855d32f9d085b9be5c5e3a02ef60499f2409df7def7598dead52da4e8

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
090756504210cc57cc3b888e11bf32a1

SHA1
d69b3cbfa49a08de919f26f3092607210500b700

SHA256
23089253f1ad41bba5a742ea34c1f53a9f63fe865a833f679f9850461740cb9e

SHA512
ad4e7b44fb9b61d66171830131d529fe36d3fdc6e85cb343cba78584c07c1eac5d6358dd3e8940a894089c61850c84885a8f06d17827eb91199e732ead93d90d

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
eaf2628e425e3b47d4b9feb04626aa09

SHA1
9dd60d99eea51adcc71c83f1058f6f7e97e5db0b

SHA256
ca3aff592529337b09b732224276e91325f84dd3b7e6f515670f3bbcbb0e85bc

SHA512
1e525dfbf2e80da0f877d15559932af103a7dec0e76ca5e67ea538a420f8d64fc7c63639fe83a0d0b560aec9a32bbcf5eaa33251b586a049ab3c625e1bdcfd9a

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
090756504210cc57cc3b888e11bf32a1

SHA1
d69b3cbfa49a08de919f26f3092607210500b700

SHA256
23089253f1ad41bba5a742ea34c1f53a9f63fe865a833f679f9850461740cb9e

SHA512
ad4e7b44fb9b61d66171830131d529fe36d3fdc6e85cb343cba78584c07c1eac5d6358dd3e8940a894089c61850c84885a8f06d17827eb91199e732ead93d90d

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
ced4bed5b435d271bd35a42927a0f9d5

SHA1
6e0bc4af265380a761bd326a2940fb18c1ba156e

SHA256
f1d95c9ded823b4b09afba3f508fa4224cac48f8ec2733c487e1572c0443f504

SHA512
39fd236630155f2a1105a59e35ce446f3c93e7e591d5a25158784bdbcae0d3005d88d789553a0f843536d3cb864e44632894a3f84fd2ffd43f53f1dbab5f0a05

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
090756504210cc57cc3b888e11bf32a1

SHA1
d69b3cbfa49a08de919f26f3092607210500b700

SHA256
23089253f1ad41bba5a742ea34c1f53a9f63fe865a833f679f9850461740cb9e

SHA512
ad4e7b44fb9b61d66171830131d529fe36d3fdc6e85cb343cba78584c07c1eac5d6358dd3e8940a894089c61850c84885a8f06d17827eb91199e732ead93d90d

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
1b8bda41eb7f8671a21f4123e7d71fa8

SHA1
3230284428ef6e0e11a258ff169cb2f068a70a83

SHA256
93fcc6335807c63c218d378b14af8db2e06759dd3c1932cb32853106c73f464b

SHA512
6cc3861e4cc2aedea5a595722aa022c569313ba1f293197c398281aadb43b652d99a215eb3380588d8632c0b1730ed6490271f28465a5a94701f039a32fcfdb2

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
090756504210cc57cc3b888e11bf32a1

SHA1
d69b3cbfa49a08de919f26f3092607210500b700

SHA256
23089253f1ad41bba5a742ea34c1f53a9f63fe865a833f679f9850461740cb9e

SHA512
ad4e7b44fb9b61d66171830131d529fe36d3fdc6e85cb343cba78584c07c1eac5d6358dd3e8940a894089c61850c84885a8f06d17827eb91199e732ead93d90d

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
05c6d34d0cdb087ff9ca9500274ac6cc

SHA1
1b473d89b7659318a5ba1c4aed3b0204124f4be9

SHA256
71f53e386cc807bbe36a42e3975f21033e6d9bd97f846640894726f7571f840d

SHA512
d8eef6bfe0ee39c476e52e6b658e7df9fa90784abf145ae12d77dcd9e4a7d83393947c14d9e317ea097f3af8184e7fcd697379c058030e0bd9f73172d8c854cf

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
090756504210cc57cc3b888e11bf32a1

SHA1
d69b3cbfa49a08de919f26f3092607210500b700

SHA256
23089253f1ad41bba5a742ea34c1f53a9f63fe865a833f679f9850461740cb9e

SHA512
ad4e7b44fb9b61d66171830131d529fe36d3fdc6e85cb343cba78584c07c1eac5d6358dd3e8940a894089c61850c84885a8f06d17827eb91199e732ead93d90d

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
090756504210cc57cc3b888e11bf32a1

SHA1
d69b3cbfa49a08de919f26f3092607210500b700

SHA256
23089253f1ad41bba5a742ea34c1f53a9f63fe865a833f679f9850461740cb9e

SHA512
ad4e7b44fb9b61d66171830131d529fe36d3fdc6e85cb343cba78584c07c1eac5d6358dd3e8940a894089c61850c84885a8f06d17827eb91199e732ead93d90d

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
090756504210cc57cc3b888e11bf32a1

SHA1
d69b3cbfa49a08de919f26f3092607210500b700

SHA256
23089253f1ad41bba5a742ea34c1f53a9f63fe865a833f679f9850461740cb9e

SHA512
ad4e7b44fb9b61d66171830131d529fe36d3fdc6e85cb343cba78584c07c1eac5d6358dd3e8940a894089c61850c84885a8f06d17827eb91199e732ead93d90d

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
090756504210cc57cc3b888e11bf32a1

SHA1
d69b3cbfa49a08de919f26f3092607210500b700

SHA256
23089253f1ad41bba5a742ea34c1f53a9f63fe865a833f679f9850461740cb9e

SHA512
ad4e7b44fb9b61d66171830131d529fe36d3fdc6e85cb343cba78584c07c1eac5d6358dd3e8940a894089c61850c84885a8f06d17827eb91199e732ead93d90d

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
090756504210cc57cc3b888e11bf32a1

SHA1
d69b3cbfa49a08de919f26f3092607210500b700

SHA256
23089253f1ad41bba5a742ea34c1f53a9f63fe865a833f679f9850461740cb9e

SHA512
ad4e7b44fb9b61d66171830131d529fe36d3fdc6e85cb343cba78584c07c1eac5d6358dd3e8940a894089c61850c84885a8f06d17827eb91199e732ead93d90d

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
d0e95b6d66dab858dc8e1451df7423d3

SHA1
590d651f93454b6561dddadaf882d0286520bd5d

SHA256
eb35c59fa614ed97c0bf20fe949b35aa03941f0c1e48a1035c75361c9039ca42

SHA512
8814fa303b501f7592529add22b2fb85ed20d1a60364fc86b1ee66473d65a179d38bef301538127a32b865ad226d2bea0c164a5e94f65f62e13d4a22336ac752

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
090756504210cc57cc3b888e11bf32a1

SHA1
d69b3cbfa49a08de919f26f3092607210500b700

SHA256
23089253f1ad41bba5a742ea34c1f53a9f63fe865a833f679f9850461740cb9e

SHA512
ad4e7b44fb9b61d66171830131d529fe36d3fdc6e85cb343cba78584c07c1eac5d6358dd3e8940a894089c61850c84885a8f06d17827eb91199e732ead93d90d

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
af0545a668afd594b2b50b5c289ab9f7

SHA1
79f502b68d923cadc3024d2bbce6a403da643a73

SHA256
5bc0c7f05bd08283e15cc3912a44b2d485f71f7965a9906350736a846c707c04

SHA512
cb67056749e395b1bc07139f8c5865f0946258424340bc3fcf57a955c45d67de3c52d4339b72e341bd5dcf1e83b4468ebc6d2573e92cb89bdf84105231d182e3

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
090756504210cc57cc3b888e11bf32a1

SHA1
d69b3cbfa49a08de919f26f3092607210500b700

SHA256
23089253f1ad41bba5a742ea34c1f53a9f63fe865a833f679f9850461740cb9e

SHA512
ad4e7b44fb9b61d66171830131d529fe36d3fdc6e85cb343cba78584c07c1eac5d6358dd3e8940a894089c61850c84885a8f06d17827eb91199e732ead93d90d

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
604387c6080ed801b594019918cce769

SHA1
960844ac304f0ce3172ebbdabdb832a2c15a25df

SHA256
845c3af84e5ca02f3eb7c473e30b6d2cad85faa97c4c46ebcfa89dddb4a15bd7

SHA512
38fa37d89ad2624c8e069a7324ba8b81d37fb44d278bcba4231fb005d43bd8c7138eca7a489847615ddf327e221d94903614fcfc8941f7927d58028371484f7d

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
23a4c451e5a21eda59a7eb0469b6ff81

SHA1
d7b3d405c8f0639528ce17ae175680df4c2a49ec

SHA256
4470c72caaabd947fd470ae36d23033ab4d4c1ba202471138da5a60e970581a0

SHA512
55309d64ff3e74a54f8d3ead441a5afbc1b06fec321bb6ab7d9f9f098e2b2302dfe6254224981f1c71a0ff20a2e50e9b7fbcdf765006f2719a654cd6a7cf67aa

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
898f361a00a631097aa884709b994e53

SHA1
ffb8b80a3ba5f13e3fc99a718948d87c443b5057

SHA256
d4f8e33a7e274b741e8cc46b55b336397328cc3340235c523f67b0fe4f93cd20

SHA512
e42d7c22b4533c992f459e543275eb6617557c75f3c3250cdc0e3665fbcfbdb4c02c216f5c713e8c67ed42440494d131cee05af5f8977c06e93448c9fec997c9

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
61a4d33c65bdd267f99973885848be70

SHA1
00121d5adb4f3c507752101d284e0feb5ef3d2ff

SHA256
23d6b38ed546854fec2d3690b8c64cf1b94b34023256e33c312acfed7004df00

SHA512
342897a3fdb7a685f8f6c81ffc9c9e43433a35c48abfc857685f6cd290e91d221c40421f4b99413e2559a168943539fadb8fb1c715c7c09ba5e4ff60abee898b

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
5e3e769fd50ae500fb20142ed547c11d

SHA1
a63a9a3dcf96c4fbca81816d22c2ad4387dd5769

SHA256
397f18b28f304b824a3095c17b83df2160672a9a610f287fb15c00ad23778f99

SHA512
6a866516d42d96c539236fee0e0dd0f6463c3b310990da2a81938332f08d1e6efb7750d6892baeab9536bc9fe4029204cd3d54ad910347e63eb2f4da7439de0a

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
d9260de43370f644857e1ae147c8cd2d

SHA1
6a4a993490c7de26e4a880a8095e29c796c2a36d

SHA256
de0e06ad7b2b9f4fb8936c28d0db1136efdad60b3845c36fe9337b3843548b3a

SHA512
1a22520f4bc0d7f28af943a15fea2654052a535207cc31ff0f2200418488d0e418b7bb05a8387dbf654acc45702e1ad4a57367c4d315a9cfdcafd51863cfaccd

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
dbcf12715c5459c6b6f7f88cd3850204

SHA1
9a23428fabbc4cc467c714df5e293415023284c4

SHA256
8d07a4a60d0914f1f2080897033d120d676972b424e3c0c68d0fbfe879dca17c

SHA512
3603e3be71570f06e47c83bb1b3eda047a71763f69269148343c1c05e77aff2c269c7e7392e75a54fd3653fe023f5a3fa615f7e9b48853edeca0002911e8cd04

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
6cd19501a72b6de46348272156cd968a

SHA1
366305d4cbeab287325c953101fe374d262cf2f2

SHA256
eb84490078e65afc643a552efaea9dcde1bdc543ec9d775049ba559acdb93b33

SHA512
a5dc9dff3f18ac96b895a10800ce5ec3717ba12cf2e862ec2e77ba775efeb441d9a1363201dd913ef3b16199eb21fea1cf18d5d44f484ae2680d592188f11c64

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
531a876b5aa65fd24c21b6209bc62db0

SHA1
62b773a23ce3b3eb64f14940b34bb1850c94fa21

SHA256
406ed40695a0a12ecd1648fd5e09bce0a4eb105075144400019913eca0bd9b1f

SHA512
ce6dd10403a0f820116d7c9a0dc4d473563bc692d190bb7eb54b318ce6694addeabfc0f931b9522e3fa9a060b945e7aeb2673e06f80e4a0a195d3f18393e6073

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
82ed0938e42bdb753b9192d4d7bf93c5

SHA1
a80f55b5af8146530a2ea324c20d937b41aa7c6b

SHA256
0b6b54d5637ed509b6488ad9694e1a4acac47a54407dd4be60532b90b750ca20

SHA512
563f3bbf1210ae9d8b16c56141eda221d292ab83f63f9167e1dbf2b360735fa44c501c112f52c1c70c28519163312b29fddce704ed20965338b6d8c5482cd1e8

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
777d2af12cd2188a5402fde042015847

SHA1
398f794ed0e07500ed7559d8f60a49ead3090a55

SHA256
91b4e6b5b923cdb5755838dcef52d13435fee595029438b0a6f0b4e3e4a6be58

SHA512
396e90f0cebe9e33e995d94da93eb3118a272c413439e267a213faefb0c01745242027ec2f252fc900f934fb30e403f4af9f2a83653d0e4aadca284638b7c0aa

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
6a32f819e106f1d7ee405f38c9a85e07

SHA1
707d727c71ddf83f8cc557bc89d58b546bbaed42

SHA256
f61a08d7533c343f6eb73cfd5ed5547c0112817a9e21ae9ec59516fdea3134f7

SHA512
05be75b86c9955dc4252f30216fc54f3c5bbdcd69a49581c9d42fa1eaf7a94668b578613120a0bfd229f426467a1c761e351526a2330bbb9786587f358e62dbe

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
8937bdc064413f89742f164c8cbd20e8

SHA1
3385c21cb2c208a631bcfd0f0f46da78222c84bd

SHA256
cd7ad648ed3ffcd9bb029f27328998a47c113b391a1979c3592e6b6b8f7b667f

SHA512
fd9f372a6b521d738139b26ec328c15b30e6697a7b1cc92e52e5c3dfdc874e8ca3343a595a5c6ffc59a949ec25cdb80413c6bd7a05e0005a3973aedc77786cd8

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
d718e92440c6bccbf98af7944a3e9b7b

SHA1
1543a1227f3ad4a8747ecb0247421fb5ab6fe859

SHA256
d3180d2de83ecc81ee4d001ef0ac38b37e65e190b7bf0922095122046735c4b5

SHA512
e49ac94456507b274aba3e8e4265303896a1c37255c95766cac17bf7f1605739d540a41b38dd54debc19a446aec4b853d81635ce19d7824db76a9746ef1814d6

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
fbcad6de91cfd032c9d2b0b205274bdd

SHA1
bd71dd582a404d0025bae937431f740ff1b1ceae

SHA256
f1c2dd207ac04dc551672217f91767dadf0cd8ae04ab11256b2fe33971f61dd5

SHA512
1a9e5bdfbbfa40209034d3ba61228b2d8264d5fc3a8e264685fdc6a6ff2551cb1f355aa00dade0a02d0f1d684d7881a99beadff9b7aa2c7a4f19b3efbfff5fca

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
52b1d44d808cd2b2c5e9835850a4fdf2

SHA1
ff3c86abfb817f3096a9393699f556d29268f9da

SHA256
704e569050bd604b1ab9ffe4693c73ddf29406527447be670915203474427077

SHA512
e60002ab722fa49537f135c4f90285dd30da675e926eeb115828e5cf0c5b031f233124f93003e41428cc8de79a412135df4ab76d804eeb4e45f010aa9c103ba4

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
86b9e3a3311fd0f5cf4098e713a3e658

SHA1
3d12d21ac75dc160d98f5beaee9b58c83ed07544

SHA256
13df28d04c60b9c501291d3291c81a7be8785fea087342179333f65af70ee4fe

SHA512
c0f36b3b2b2a4f4852961785ac1fefd6e3db440ba08f7f6351673a57cf55df549806eb0a93909905488a3c2f0417fa5121b74866087bf09724ec6da09f307c1b

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
6664d420d64cac523809f32949bc3e53

SHA1
d1a68b4f8c61e14c1a2c1cb3dccffde98b17c763

SHA256
eca943626f953f5d7b0d6da1fb191d1ee79e8a9d44755cf626400964c0b0a843

SHA512
ea5ee4637422a6af7f4dcf4259bff9015f1f8ca5e9349920358c49d599ece8768ea3da92350ed13e081a4f59dc54a0b7abd1da0059763f5b8ee5dbcc2e6be515

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
8e9c8d0749113ce0b676b644a8a1ae7a

SHA1
df662e419c586d2d3ca11e9345a4552c5cf163ea

SHA256
2dd38f783e3c0bb677bada8616c016fc7853c7ba858637bc9be70a3c946b1213

SHA512
2457c7f8617bcdcf0b90a6a025f78a6dc749c0fa4db5fd6cde959c896628db2cfed55de823f16bfcf5b2dbf85070e26fcbd42dd838568bd2c4820ed5796e7e73

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
80e8a913ca95b8df0185e6388a928028

SHA1
1f716e02bb89ee182d308f3e3f0a43f4d95b3be4

SHA256
a3a008d9f29c35f16a256514ce8f198002383be8608a7009f0e0c846678e19b9

SHA512
4b358b29d4e11992c015a5317147faac0c7a149773b1d31ba1c46a3251ba071ee09f6a7aea56d05eb39f1342d3731fef2a4762a9aa5b412dadc3507331eca08b

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/316-152-0x0000000000000000-mapping.dmp

Download
memory/484-127-0x0000000000000000-mapping.dmp

Download
memory/832-72-0x0000000000000000-mapping.dmp

Download
memory/920-77-0x0000000000000000-mapping.dmp

Download
memory/924-137-0x0000000000000000-mapping.dmp

Download
memory/1008-157-0x0000000000000000-mapping.dmp

Download
memory/1080-61-0x0000000075D11000-0x0000000075D13000-memory.dmp

Filesize
8KB

Download
memory/1288-60-0x0000000000000000-mapping.dmp

Download
memory/1300-62-0x0000000000000000-mapping.dmp

Download
memory/1388-107-0x0000000000000000-mapping.dmp

Download
memory/1512-162-0x0000000000000000-mapping.dmp

Download
memory/1544-92-0x0000000000000000-mapping.dmp

Download
memory/1552-67-0x0000000000000000-mapping.dmp

Download
memory/1592-112-0x0000000000000000-mapping.dmp

Download
memory/1600-142-0x0000000000000000-mapping.dmp

Download
memory/1668-97-0x0000000000000000-mapping.dmp

Download
memory/1676-102-0x0000000000000000-mapping.dmp

Download
memory/1692-82-0x0000000000000000-mapping.dmp

Download
memory/1740-117-0x0000000000000000-mapping.dmp

Download
memory/1796-87-0x0000000000000000-mapping.dmp

Download
memory/1876-132-0x0000000000000000-mapping.dmp

Download
memory/1956-147-0x0000000000000000-mapping.dmp

Download
memory/2004-122-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 1080 wrote to memory of 1288	1080	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	reg.exe
PID 1080 wrote to memory of 1288	1080	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	reg.exe
PID 1080 wrote to memory of 1288	1080	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	reg.exe
PID 1080 wrote to memory of 1288	1080	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	reg.exe
PID 1080 wrote to memory of 1300	1080	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 1080 wrote to memory of 1300	1080	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 1080 wrote to memory of 1300	1080	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 1080 wrote to memory of 1300	1080	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 1300 wrote to memory of 1552	1300	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 1300 wrote to memory of 1552	1300	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 1300 wrote to memory of 1552	1300	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 1300 wrote to memory of 1552	1300	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 1552 wrote to memory of 832	1552	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 1552 wrote to memory of 832	1552	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 1552 wrote to memory of 832	1552	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 1552 wrote to memory of 832	1552	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 832 wrote to memory of 920	832	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 832 wrote to memory of 920	832	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 832 wrote to memory of 920	832	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 832 wrote to memory of 920	832	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 920 wrote to memory of 1692	920	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 920 wrote to memory of 1692	920	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 920 wrote to memory of 1692	920	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 920 wrote to memory of 1692	920	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 1692 wrote to memory of 1796	1692	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 1692 wrote to memory of 1796	1692	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 1692 wrote to memory of 1796	1692	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 1692 wrote to memory of 1796	1692	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 1796 wrote to memory of 1544	1796	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 1796 wrote to memory of 1544	1796	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 1796 wrote to memory of 1544	1796	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 1796 wrote to memory of 1544	1796	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 1544 wrote to memory of 1668	1544	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 1544 wrote to memory of 1668	1544	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 1544 wrote to memory of 1668	1544	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 1544 wrote to memory of 1668	1544	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 1668 wrote to memory of 1676	1668	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 1668 wrote to memory of 1676	1668	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 1668 wrote to memory of 1676	1668	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 1668 wrote to memory of 1676	1668	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 1676 wrote to memory of 1388	1676	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 1676 wrote to memory of 1388	1676	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 1676 wrote to memory of 1388	1676	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 1676 wrote to memory of 1388	1676	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 1388 wrote to memory of 1592	1388	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 1388 wrote to memory of 1592	1388	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 1388 wrote to memory of 1592	1388	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 1388 wrote to memory of 1592	1388	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 1592 wrote to memory of 1740	1592	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 1592 wrote to memory of 1740	1592	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 1592 wrote to memory of 1740	1592	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 1592 wrote to memory of 1740	1592	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 1740 wrote to memory of 2004	1740	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 1740 wrote to memory of 2004	1740	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 1740 wrote to memory of 2004	1740	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 1740 wrote to memory of 2004	1740	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 2004 wrote to memory of 484	2004	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 2004 wrote to memory of 484	2004	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 2004 wrote to memory of 484	2004	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 2004 wrote to memory of 484	2004	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 484 wrote to memory of 1876	484	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 484 wrote to memory of 1876	484	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 484 wrote to memory of 1876	484	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe
PID 484 wrote to memory of 1876	484	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe	031d82d0d39544530b54011ec61234f675da9c70f3e68ac49565d6a1f0082f88.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads